SSL Server Certificate - shawfdong/hyades GitHub Wiki

UCSC is now participating in the InCommon Certificate Service, which entitles the campus to unlimited digital certificates[1]. Here is how to generate an SSL/X.509 certificate for a web server, e.g., maia.ucsc.edu.

NOTE all major web browser vendors have made announcements about depreciating support for SHA1 in browsers and moving to SHA256[2]. Starting from October 2014, InCommon issues SHA256 certificates. This guide is updated to use SHA256 (SHA2).

Generate a CSR (Certificate Signing Request):

I use the following bash script (req.sh)[3]:

#!/bin/bash
### certificate request

if [ $# -ne 1 ]
then
  echo "Usage: $0 host"
  exit 1
fi

openssl req \
  -new -newkey rsa:2048 -sha256 -nodes \
  -subj "/C=US/ST=California/L=Santa Cruz/O=University of California, Santa Cruz/CN=$1.ucsc.edu" \
  -keyout $1.key -out $1.csr

openssl req -in $1.csr -noout -text

To generate a CSR for maia.ucsc.edu, I run:

$ ./req.sh maia

which will produce two files: maia.key (the private key) and maia.csr (the CSR).

Go to https://ucsc.service-now.com/, and open a ticket for SSL Certificate Request. After a few days, the signed certificate (maia_ucsc_edu.cer) will arrive in an email.

The signed certificate actually packs 3 certificates, in the order of:

  1. AddTrust External CA Root
  2. USERTrust RSA Certification Authority
  3. InCommon RSA Server CA
  4. maia
They are in the wrong order and won't work with nginx! We can either rearrange them in the order of:
  1. maia
  2. InCommon RSA Server CA
  3. USERTrust RSA Certification Authority
  4. AddTrust External CA Root
and save the file as maia_chain.crt; or delete the first 3 entries (as they are trusted CAs), and save the modified file as maia.crt. However, the intermediate USERTrust RSA Certification Authority may not be trusted by all clients yet; so we use the first approach here.

Upload maia.key (the private key) and maia_chain.crt (the certificate) to /etc/ssl/ on the server maia.ucsc.edu. The two files should be readable only by root.

# chown root:root maia_chain.crt maia.key
# chmod 400 maia_chain.crt maia.key

Add the following lines to the configuration file of nginx (/etc/nginx/conf.d/maia.conf):

    ssl_certificate      /etc/ssl/maia_chain.crt;
    ssl_certificate_key  /etc/ssl/maia.key;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout  10m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

SAN Certificates

The above procedure works for most servers. However, it won't work for the Huawei Universal Distributed Storage system, which has both yun.ucsc.edu and *.yun.ucsc.edu as its domain names. The Huawei Universal Distributed Storage system calls for a certificate with SubjectAltName (a SAN certificate). SubjectAltName (Subject Alternative Names or SAN) is a X509 Version 3 (RFC 2459) extension to allow an SSL certificate to specify multiple names that the certificate should match. SubjectAltName can contain email addresses, IP addresses, regular DNS host names, etc[4].

Create an OpenSSL configuration file that enables subject alternative names (yun.cnf):

[ req ]
default_bits            = 2048
default_keyfile         = yun.key
distinguished_name      = req_distinguished_name
req_extensions          = v3_req

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = California

localityName                    = Locality Name (eg, city)
localityName_default            = Santa Cruz

organizationName                = Organization Name (eg, company)
organizationName_default        = University of California, Santa Cruz

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_default              = yun.ucsc.edu

[ v3_req ]
subjectAltName          = @alt_names

[ alt_names ]
DNS.1                   = yun.ucsc.edu
DNS.2                   = *.yun.ucsc.edu

Generate private key & CSR:

$ openssl req \
    -new -newkey rsa:2048 -sha256 -nodes \
    -subj '/C=US/ST=California/L=Santa Cruz/O=University of California, Santa Cruz/CN=yun.ucsc.edu' \
    -out yun.csr -config yun.cnf

which will produce two files: yun.key (the private key) and yun.csr (the CSR).

References

  1. ^ Digital Certificate Service
  2. ^ Deprecation of SHA-1 and moving to SHA-2
  3. ^ OpenSSL Command-Line HOWTO
  4. ^ Multiple Names on One Certificate
⚠️ **GitHub.com Fallback** ⚠️